← Integrations

Automated SSL certificate renewal for Citrix NetScaler

NetScaler won't update a renewed certificate on its own. CertKit will.

A NetScaler binds a named SSL certificate-key pair to load balancing virtual servers, services, and Citrix Gateway. When a certificate renews, the files under /nsconfig/ssl go stale and every binding keeps serving the old certificate until someone uploads the new files, updates the certkey, and saves the configuration. Every 47 days. On every appliance you manage.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your NetScaler appliances automatically via the CertKit Agent over SSH, refreshes the certkey pair in place, and saves the config.

Start free trial Watch demo

Built for Citrix NetScaler

The pre-built NetScaler deployment template ships in your CertKit account. No scripting required.

CertKit renews your NetScaler certificate for you. On every renewal it uploads the new certificate and private key over SCP, runs update ssl certkey so the pair refreshes in place, and saves the running configuration. Every virtual server, service, and Citrix Gateway bound to that certkey serves the new certificate immediately. No per-vserver rebinding, no service restart.

The pre-built NetScaler template ships with your CertKit account. Point CertKit at your appliance once and it handles every renewal after that. If you want to see or adjust exactly what runs, the full deployment script is right there in your account.

How to install an SSL certificate on Citrix NetScaler

The manual process, if you want to do it yourself:

  1. Create a certificate request. Under Traffic Management → SSL, create a Certificate Signing Request on the appliance, or create the CSR and key externally. A wildcard certificate covers Gateway and every virtual server on the domain with one certkey.
  2. Submit the CSR to a certificate authority. Purchase a certificate or use a free ACME CA, then wait for the signed certificate file to come back.
  3. Upload the certificate and key. Under Traffic Management → SSL → Certificates, choose Install, or copy the PEM and key to /nsconfig/ssl over SCP. Point at the wrong path and the install fails with "cannot find file or folder".
  4. Update the certkey pair. Select the existing certificate-key pair and choose Update, so every LB vserver, service, and Citrix Gateway binding refreshes at once. A brand-new certkey has to be bound to each SSL vserver by hand instead. If the subject changed, the update fails a domain check you have to override.
  5. Save the running configuration. Run save ns config, or the renewal disappears on the next reboot. Then repeat on every appliance that doesn't share HA config.

Every one of these steps is manual, and NetScaler won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every MPX, VPX, and SDX you run. Miss one and Citrix Gateway greets remote workers with an expired certificate.

At 47 days, automation is the only sustainable way to run NetScaler certificates. Here's how CertKit does it.

How it works

 Your network            CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│  ┌─────────────┐  │     │                  │    │             │
│  │Deploy Agent │◄─┼─────┤  Issue & Renew   │◄──►│             │
│  └──┬────┬─────┘  │     │   Certificates   │    │             │
│     │    │ SSH/   │     │                ┌───┐  └─────────────┘
│     │    │ SCP    │     └───────────┬────│DNS│
│     ▼    ▼        │                 │    └───┘
│ ┌──────────────┐  │                 │
│ │ NetScaler    │  │                 │
│ │ [x] Uploaded │  │ ◄───────────────┘
│ │ [x] Updated  │  │       Verify
│ └──────────────┘  │
└───────────────────┘

CertKit issues and renews certificates centrally in the cloud using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that.

The deploy agent is a small service you run on a Windows host inside your network. It makes an outbound HTTPS connection to CertKit to pull each renewed certificate, then connects to the NetScaler management address (NSIP) over SSH on your LAN to upload the files and refresh the certkey pair. The appliance never talks to CertKit or the public internet directly, never runs ACME, needs no port 80 open, and never stores DNS credentials. One deploy agent can reach every NetScaler and other appliance on that network, so there's nothing to install on the appliances themselves.

Using CertKit to manage our public-facing SSL certificates has been an excellent decision. The platform is user-friendly, certificates are easy to deploy, and the automation agent streamlines the entire certificate lifecycle, eliminating concerns around shortening certificate validity periods.

Chris Austin, IT Engineer, Buckman

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Authorize an SSH key. Generate a key pair with ssh-keygen and add the public key to the NetScaler user's authorized keys (/nsconfig/ssh/authorized_keys for nsroot). A dedicated automation account is better practice than nsroot.
  3. Install the CertKit Agent. One command on any Windows host with SSH reachability to the NSIP. The agent runs as a background service and needs no inbound firewall rules.
  4. Add the NetScaler deployment script. The pre-built template is in your account. Set the NSIP, SSH user, key path, and the certkey name from Traffic Management → SSL → Certificates. CertKit runs it on every renewal.

See the full architecture →

Why not run ACME on the NetScaler?

Answering ACME challenges from the appliance itself is fragile. HTTP-01 means maintaining responder policies for the challenge path on every domain's virtual server. DNS-01 means storing DNS provider credentials on the device that terminates TLS for your applications, which is a privilege escalation waiting to happen.

Scripting the renewal yourself has its own sharp edges: SSH automation against the NSIP, the domain check that rejects an update when the subject changed, keeping /nsconfig/ssl in sync across HA nodes, and the save ns config everyone forgets until a reboot rolls the certificate back. We built and tested the deployment so you don't have to. CertKit issues the certificate via delegated DNS validation, then the agent handles the upload, the certkey update, and the save as one verified step, with no ACME client on the appliance.

NetScaler is just one part of your network edge

Most networks have more than one place where TLS certificates live: F5 load balancers, firewalls like Fortinet, Palo Alto, and SonicWall, plus the web servers behind them. CertKit automates all of it from one account.

See all integrations

Start automating NetScaler certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing